xEM no longer readable after first commands


#1

I purchased two xEM tags in hopes of encoding them with different data using the Proxmark tool. My goal is to use the tags externally (no plans to inject them into the body).

After removing the first tag from the syringe, it showed up as an EM4X tag when doing ‘lf search’ on the Proxmark. ‘lf hid clone …’ would not change the data on the tag. After wiping the tag, ‘lf search’ does not find anything, and I cannot talk to it anymore (even with ‘lf t55xx detect’).

I then tried programming the second tag while still inside of the syringe and sealed polymer bag. ‘lf t55xx detect’ returned results, and I could clone it with ‘lf hid clone …’. Successful cloning was verified by doing an ‘lf search’, and it returned positive results.

However, upon removing the tag from the syringe and placing it close to the antenna (the same angle/direction as when it was still in the bag/syringe), it no longer reads:

proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!

So now both tags are not returning results. Any help would be appreciated.


#2

My experience was that I could not read the xEM with a proxmark easy after a successful clone, but it did in fact work.

Have you tested it against the intended target reader?


#3

Yeah, I’ve tried it against a few different reader types (HID multiCLASS, AptiQ MT15), and they do not beep or read the chip at all.


#4

When it comes to writing data to the T5577 chip inside the xEM, it doesn’t matter what the device you use is… it’s still possible to tear the configuration bytes. Read this post;

https://forum.dangerousthings.com/t/quirks-of-the-t5577-cloning-tags-to-the-xem/

Now that you’re all caught up on tearing issues, I can say these things;

  1. the response you’re getting trying to read the xEM is the exact response you will get if one of the following is going on: A) you are reading a perfectly configured xEM chip but the coupling is bad due to placement, antenna geometry mis-match, etc. or B) your coupling is good but the configuration bytes on the T5577 have been configured due to invalid data being written, or a tear event occurring.

  2. recovery is possible https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners

  3. we need a proxmark3 manufactured with antennas designed to work with x-series chips.

Thanks,
Amal


#5

The weird thing is that with the second chip, I was able to read it perfectly fine while it was still in the syringe. As soon as I pushed the plunger and it slid out, it no longer would read. Nothing else changed.

Also is there a reason why the first chip was already reading as a pre-programmed EM4X tag, while the second one read as a blank T5577?